2015-year-ahead-in-cyber-security-150113122914-conversion-gate02
-
Upload
james-fisher -
Category
Documents
-
view
8 -
download
0
Transcript of 2015-year-ahead-in-cyber-security-150113122914-conversion-gate02
Today’s topic
• What cyber threats will your business face in 2015?
• From cyber criminals to nation states and hacktivists, threats are evolving
• What should you be doing now?• The best use of resources to protect
your business
The agenda
• Defining moments of 2015• Lessons for 2015• Threats and responses• Strategies for success
Q1: Which 2014 security news story concerns you the most?
• Sony Pictures hacks• JPMorgan Chase breach• PSN DDoS attack • Community Health Systems breach• None of the above
Defining moments: Sony+
• Last year it was Snowden/Target• This year it’s Sony• Also maybe JP Morgan Chase • With a touch of The Home Depot• Plus The Home of a Despot• Some politics and NSA• And a sprinkle of IoT
Sony Pictures epic hack
• Data destroyed, stolen, exposed• System availability denied/degraded• Present and former employees
personally impacted• Lawsuits• Brand damage
Systemic security failure?
• A history of being attacked• A “live with the risk attitude”• Known weaknesses not remedied• PWC audit second half of July
– One firewall and more than 100 other devices not monitored by corporate security team
– Monitored by studio’s in-house group– "Security incidents impacting these network or
infrastructure devices may not be detected or resolved timely"
Lesson #1
• Don’t leave unencrypted audit reports in executive email inboxes
• Don’t put into unencrypted email anything you may later regret saying or sharing (words, images, reports, etc.)
• Most email is unencrypted• If they own your account, encryption is
not going to keep secrets
Lesson #2
• Make your security awesome before you antagonize known hackers
• Or don’t antagonize known hackers• Try asking your head of security if
he’s okay with you taunting hackers• If he says yes, get a second opinion
Lesson #3
• Hacktivism is here to stay
• The Internet is fundamentally asymmetric
• May discretion be the better part of cyber valor?
JPMorgan Chase hack
• Deeper and wider than first announced• “This was a sophisticated attack with
nation state overtones”
Lesson #4
• Do all the right things all the time• Yes, I know that is very hard to do• But the scale of targeted attack
activity is higher than ever• E.g. fewer cyber attacks on retailers,
but more efficient*
*IBM 2014 Retail Intelligence Report
Lesson #5
• Don’t play the “sophisticated nation state attack” card
• It makes you look bad later• Both JPMorgan and Sony Pictures
have tried this• Why? Lays groundwork for legal
defense against negligence claims*
The Home Depot et al.
• Point of sale hacking continues, plus SQL injection attacks on retailers
• Look for more of the same, even as chip cards start to take over
• Transition period may offer points of entry for hackers
• Card data still useful for online fraud
Q2: Chip cards are coming and they are hard to fake, so the people who now make money from card fraud will:• Get jobs• Try a different kind of fraud
Lesson #6
• Crime displacement• EMV technology will make it harder
to turn stolen payment card data into fake cards
• The people who buy card data to make fake cards will turn to other forms of crime: Identity theft?
Tax ID fraud
• Cost taxpayers $5 billion in 2013• Will be big in 2015• An easy alternative to card fraud• IRS needs to do more, but congress
cut the IRS budget• File early with fingers crossed• Takes 9 months to correct (average)
Some politics and NSA
• NSA court cases and legislation will keep privacy top of mind for many
• Political stalemate and lack of trust will hamper efforts to:– Share data between .gov and .com– Boost spending on cybercrime
deterrence
And a sprinkle of IoT
• The Internet of Things will continue to grow and get hacked
• Security threat to organizations still low relative to BYOD
• Except in sectors that use SCADA• Privacy and rights issues may
emerge re: webcams, company monitoring of IoT devices
Lesson #7
• Threatscape is wider than ever• Cyber Crime, Inc. continues to dominate
– Data about people = money
• Nation state hacking– From secret sauce to state secrets
• The resurgence of hacktivism• All of the traditional IT security risks
– Current and former employees, competitors, natural/human disasters (stormy weather?)
Wildcards
• New forms of payment and currency:– Apple Pay and other digital wallets– Bitcoin and other virtual currencies
• Regional conflicts• The weather
Q3: A disaster puts your offices and computer off limits for 3 days. Are you:
• Well prepared with a written plan ready to execute
• Somewhat prepared• Not clear on how you would cope• In deep trouble
Security strategies: BCM/IR
• Business Continuity Management and Incident Response means…
• Preparing to respond to:– Security breaches, data theft– Privacy incidents, internal fraud– Extreme weather, man-made disasters
• At all levels:– Communications, people, processes, data
and systems, recovery, analysis
Security strategies: Backup
• The ultimate protection against – Data loss and data ransom– User error and system failure– Natural and man-made disasters
• Review current strategies and test current implementations
• Consider all options (cloud, physical)
Strategies: Encryption
• Time to do more encryption, not less• Encryption products have improved• Offer protection in case of breach• Encrypt in transit as well as at rest• Check your cloud provider’s use of
encryption e.g. between data centers
Strategies: Policy/compliance
• Start of the new year is a good time to check:
• Are your information security policies complete and up-to-date– New technologies, new data, new hires
• Are you aware of new laws affecting your compliance around privacy, data protection?
Strategies for success
• Are you responsible for protecting data and systems?
• Don’t panic, you are not alone• Leverage heightened awareness
(courtesy Snowden-Target-HomeDepot-Sony-JPMorgan)
• Take a structured approach
You are not alone
• Network with others, across departments up/down the org chart
• Within and beyond the organization• Chamber, BBB, SBA• ISSA, ISACA, (ISC)2, IAPP• ISACs, InfraGard, NCSA, VB• NIST, SOeC
Revisit roadblocks
• In 2015 the public and press will be on high alert re: privacy and security
• Bosses may not “like” security but breaches = lost customers, lost revenue, lost jobs
• Employees make be more interested in security than you think
Last word: Due care
• Remember: complying with rules & regulations (e.g. PCI, HIPAA, SOX) is not the same as being secure
• Your security will be judged in the courts: media, public opinion, law
• Liability under law hinges on reasonableness, due care
Thank you! Have a safer 2015!
• [email protected]• WeLiveSecurity.com• www.eset.com• www.slideshare.net/zcobb